This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Firefox won't trust imported certificate

  • 9 iimpendulo
  • 1 inayo le ngxaki
  • 10 views
  • Impendulo yokugqibela ngu cor-el

more options

In order for our secure webfilter to filter traffic on SSL encrypted websites, we have to install a certificate that will allow for an intentional mitm attack. We have only had a problem having this certificate replace Google's recently. Do we need to take an added step to have this certificate truly become trusted?

In order for our secure webfilter to filter traffic on SSL encrypted websites, we have to install a certificate that will allow for an intentional mitm attack. We have only had a problem having this certificate replace Google's recently. Do we need to take an added step to have this certificate truly become trusted?

All Replies (9)

more options

I would like a response, please.

more options

can you be more specific about what kind of error message / error code you are receiving?

more options

I have attached a screenshot.

more options

thanks, this screenshot doesn't reveal an error with a certificate but indicates that there are parts of the website which are not loaded through https (so called "mixed content"). you can inspect that by looking in the security tab of the firefox web console: https://developer.mozilla.org/en-US/docs/Security/MixedContent

you'd have to look into the workings of your MITMing solution on why it may be causing this...

more options

This issue exists for several different MITM solutions, including other SWGs and antivirus software. The problem, I believe, lies with Firefox not accepting self-signed certificates as a trusted cert, regardless of whether or not you import it to Firefox's own trusted certificate store. This issue also seems to have arisen recently as I used to be able to use my solution at least 3 months ago with no issue.

more options

as your screenshots shows, there are elements of google.com which are loaded through http (this has to be caused by the MITM software is out of the control of firefox) - if a self-signed cert wasn't trusted you would see a different, full page error looking something like: Connection Untrusted

more options

I understand.

I am aware that one can ignore these warnings, however I need a solution where I can do this over a managed network, namely in AD and JAMF/Casper where I can automatically do this for a large amount of users. I also wish that this option wasn't enabled by default as it breaks a lot of enterprise products.

more options

alexander.diaz said

I understand. I am aware that one can ignore these warnings, however I need a solution where I can do this over a managed network, namely in AD and JAMF/Casper where I can automatically do this for a large amount of users. I also wish that this option wasn't enabled by default as it breaks a lot of enterprise products.

Any ideas on how I can manage this?

more options

Open the "Add Security Exception" window by pasting this chrome URL in the Firefox location/address bar and check the certificate:

  • chrome://pippki/content/exceptionDialog.xul

In the location field of this window type or paste the URL of the website.

  • retrieve the certificate via the "Get certificate" button
  • click the "View..." button to inspect the certificate in the Certificate Viewer

You can inspect details like the issuer and the certificate chain in the Details tab of the Certificate Viewer. Check who is the issuer of the certificate. If necessary then you can attach a screenshot that shows the certificate viewer.

Firefox needs a root certificate that has the proper trust bit(s) to be able to build a certificate chain.